RubyGems - ios-cert-enrollment - Versions diffs - 0.0.2 - Mend

ios-cert-enrollment 0.0.2

Files changed (9) hide show

data/lib/ios-cert-enrollment.rb +8 -0
data/lib/ios-cert-enrollment/certificate.rb +16 -0
data/lib/ios-cert-enrollment/configuration.rb +29 -0
data/lib/ios-cert-enrollment/device.rb +15 -0
data/lib/ios-cert-enrollment/profile.rb +153 -0
data/lib/ios-cert-enrollment/sign.rb +85 -0
data/lib/ios-cert-enrollment/ssl.rb +17 -0
data/lib/ios-cert-enrollment/version.rb +3 -0
metadata +130 -0

@@ -0,0 +1,8 @@
+require File.expand_path('../ios-cert-enrollment/configuration', __FILE__)
+require File.expand_path('../ios-cert-enrollment/sign', __FILE__)
+require File.expand_path('../ios-cert-enrollment/profile', __FILE__)
+require File.expand_path('../ios-cert-enrollment/device', __FILE__)
+module IOSCertEnrollment
+  extend Configuration
+end

data/lib/ios-cert-enrollment/certificate.rb ADDED

@@ -0,0 +1,16 @@
+require File.expand_path('../configuration', __FILE__)
+require "openssl"
+module IOSCertEnrollment
+  class Certificate
+    attr_accessor :certificate, :mime_type
+    def initialize(certificate,mime_type)
+      self.certificate = certificate
+      self.mime_type = mime_type
+    end
+  end
+end

data/lib/ios-cert-enrollment/configuration.rb ADDED

@@ -0,0 +1,29 @@
+require File.expand_path('../version', __FILE__)
+module IOSCertEnrollment
+  # Defines constants and methods related to configuration
+  module Configuration
+    VALID_OPTIONS_KEYS = [
+      :ssl_certificate_path,
+      :ssl_key_path,
+      :base_url,
+      :identifier,
+      :display_name,
+      :organization
+    ].freeze
+    attr_accessor *VALID_OPTIONS_KEYS
+    # Convenience method to allow configuration options to be set in a block
+    def configure
+      yield self
+    end
+    # Create a hash of options and their values
+    def options
+      VALID_OPTIONS_KEYS.inject({}) do |option, key|
+        option.merge!(key => send(key))
+      end
+    end
+  end
+end

data/lib/ios-cert-enrollment/device.rb ADDED

@@ -0,0 +1,15 @@
+require File.expand_path('../configuration', __FILE__)
+require File.expand_path('../certificate', __FILE__)
+require File.expand_path('../ssl', __FILE__)
+require "plist"
+module IOSCertEnrollment
+  module Device
+    class << self
+      def parse(p7sign)
+        return Plist::parse_xml(p7sign.data)
+      end
+    end
+  end
+end

data/lib/ios-cert-enrollment/profile.rb ADDED

@@ -0,0 +1,153 @@
+require File.expand_path('../configuration', __FILE__)
+require "rubygems"
+require "uuidtools"
+require "plist"
+module IOSCertEnrollment
+  class Profile
+    attr_accessor :url, :identifier, :display_name, :description, :icon, :payload, :organization, :expiration
+    def initialize(url="")
+      self.url = IOSCertEnrollment.base_url + url
+      self.identifier = IOSCertEnrollment.identifier
+      self.display_name = IOSCertEnrollment.display_name
+      self.organization = IOSCertEnrollment.organization
+      self.description = ""
+      self.expiration = nil
+    end
+    def service
+        payload = general_payload()
+        payload['PayloadType'] = "Profile Service" # do not modify
+        payload['PayloadIdentifier'] = self.identifier+".mobileconfig.profile-service"
+        # strings that show up in UI, customizable
+        payload['PayloadDisplayName'] = self.display_name
+        payload['PayloadDescription'] = self.description
+        payload_content = Hash.new
+	      payload_content['URL'] = self.url
+        payload_content['DeviceAttributes'] = [
+            "UDID",
+            "VERSION",
+            "PRODUCT",              # ie. iPhone1,1 or iPod2,1
+            "DEVICE_NAME",          # given device name "My iPhone"
+            "MAC_ADDRESS_EN0",
+            "IMEI",
+            "ICCID"
+            ];
+        payload['PayloadContent'] = payload_content
+        self.payload = Plist::Emit.dump(payload)
+        return self
+    end
+    def encrypted_service
+      ## ASA encryption_cert_payload
+        payload = general_payload()
+        payload['PayloadIdentifier'] = self.identifier+".encrypted-profile-service"
+        payload['PayloadType'] = "Configuration" # do not modify
+        # strings that show up in UI, customisable
+        payload['PayloadDisplayName'] = self.display_name
+        payload['PayloadDescription'] = self.description
+        payload['PayloadContent'] = [encryption_cert_request("Profile Service")];
+        self.payload = Plist::Emit.dump(payload)
+        return self
+    end
+    def webclip
+        webclip_payload = general_payload()
+        webclip_payload['PayloadIdentifier'] = self.identifier+".webclip.tester"
+        webclip_payload['PayloadType'] = "com.apple.webClip.managed" # do not modify
+        # strings that show up in UI, customisable
+        webclip_payload['PayloadDisplayName'] = self.display_name
+        webclip_payload['PayloadDescription'] = self.description
+        # allow user to remove webclip
+        webclip_payload['IsRemovable'] = true
+        webclip_payload['FullScreen'] = true
+        webclip_payload['Icon'] = self.icon
+        webclip_payload['Precomposed'] = true
+        # the link
+        webclip_payload['Label'] = self.display_name
+        webclip_payload['URL'] = self.url
+        #client_cert_payload = scep_cert_payload(request, "Client Authentication", "foo");
+        self.payload = Plist::Emit.dump(payload)
+        return self
+    end
+    def configuration(encrypted_content)
+        payload = general_payload()
+        payload['PayloadIdentifier'] = self.identifier+".intranet"
+        payload['PayloadType'] = "Configuration" # do not modify
+        # strings that show up in UI, customisable
+        payload['PayloadDisplayName'] = self.display_name
+        payload['PayloadDescription'] = self.description
+        payload['PayloadExpirationDate'] = self.expiration || Date.today + (360 * 10) # expire in 10 years
+        payload['EncryptedPayloadContent'] = StringIO.new(encrypted_content)
+        self.payload = Plist::Emit.dump(payload)
+        return self
+    end
+    def sign
+      signed_profile = OpenSSL::PKCS7.sign(SSL.certificate, SSL.key,  self.payload, [], OpenSSL::PKCS7::BINARY)
+      return Certificate.new(signed_profile.to_der, "application/x-apple-aspen-config")
+    end
+    def encrypt(certificates)
+      encrypted_profile = OpenSSL::PKCS7.encrypt(certificates, self.payload, OpenSSL::Cipher::Cipher::new("des-ede3-cbc"), OpenSSL::PKCS7::BINARY)
+      return Certificate.new(encrypted_profile.to_der, "application/x-apple-aspen-config")
+    end
+    private
+    def encryption_cert_request(purpose)
+        ## AKA scep_cert_payload
+        payload = general_payload()
+        payload['PayloadIdentifier'] = self.identifier+".encryption-cert-request"
+        payload['PayloadType'] = "com.apple.security.scep" # do not modify
+        payload['PayloadDisplayName'] = purpose
+        payload['PayloadDescription'] = "Provides device encryption identity"
+        payload_content = Hash.new
+        payload_content['URL'] = self.url
+        payload_content['Subject'] = [ [ [ "O", self.organization ] ],
+            [ [ "CN", purpose + " (" + UUIDTools::UUID.random_create().to_s + ")" ] ] ];
+        payload_content['Keysize'] = 1024
+        payload_content['Key Type'] = "RSA"
+        payload_content['Key Usage'] = 5 # digital signature (1) | key encipherment (4)
+        payload_content['GetCACaps'] = ["POSTPKIOperation","Renewal","SHA-1"]
+        payload['PayloadContent'] = payload_content;
+        payload
+    end
+    def general_payload()
+        payload = Hash.new
+        payload['PayloadVersion'] = 1 # do not modify
+        payload['PayloadUUID'] = UUIDTools::UUID.random_create().to_s # should be unique
+        payload['PayloadOrganization'] = self.organization
+        payload
+    end
+  end
+end

data/lib/ios-cert-enrollment/sign.rb ADDED

@@ -0,0 +1,85 @@
+require File.expand_path('../configuration', __FILE__)
+require File.expand_path('../certificate', __FILE__)
+require File.expand_path('../ssl', __FILE__)
+require "openssl"
+module IOSCertEnrollment
+  module Sign
+    class << self
+      def registration_authority
+        scep_certs = OpenSSL::PKCS7.new()
+        scep_certs.type="signed"
+        scep_certs.certificates=[SSL.certificate,SSL.certificate]
+        return Certificate.new(scep_certs.to_der, "application/x-x509-ca-ra-cert")
+      end
+      def certificate_authority_caps
+        return "POSTPKIOperation\nSHA-1\nDES3\n"
+      end
+      def sign_PKI(data)
+        p7sign = OpenSSL::PKCS7.new(data)
+        store = OpenSSL::X509::Store.new
+        p7sign.verify(nil, store, nil, OpenSSL::PKCS7::NOVERIFY)
+        signers = p7sign.signers
+        p7enc = OpenSSL::PKCS7.new(p7sign.data)
+        # Certificate Signing Request
+        csr = p7enc.decrypt(SSL.key, SSL.certificate)
+        # Signed Certificate
+        cert = self.sign_certificate(csr)
+        degenerate_pkcs7 = OpenSSL::PKCS7.new()
+        degenerate_pkcs7.type="signed"
+        degenerate_pkcs7.certificates=[cert]
+        enc_cert = OpenSSL::PKCS7.encrypt(p7sign.certificates, degenerate_pkcs7.to_der,
+            OpenSSL::Cipher::Cipher::new("des-ede3-cbc"), OpenSSL::PKCS7::BINARY)
+        reply = OpenSSL::PKCS7.sign(SSL.certificate, SSL.key, enc_cert.to_der, [], OpenSSL::PKCS7::BINARY)
+        return Certificate.new(reply.to_der, "application/x-pki-message")
+      end
+      def verify_response(raw_postback_data)
+        p7sign = OpenSSL::PKCS7.new(raw_postback_data)
+        store = OpenSSL::X509::Store.new
+        p7sign.verify(nil, store, nil, OpenSSL::PKCS7::NOVERIFY)
+        return p7sign
+      end
+      def verify_signer(p7sign)
+        signers = p7sign.signers
+        return (signers[0].issuer.to_s == SSL.certificate.subject.to_s)
+      end
+    end
+    private
+    def self.sign_certificate(signing_request)
+      request = OpenSSL::X509::Request.new(signing_request)
+      # New Certificate
+      cert = OpenSSL::X509::Certificate.new
+      cert.version = 2
+      cert.serial = 1
+      cert.subject = request.subject
+      cert.issuer = SSL.certificate.subject
+      cert.public_key = request.public_key
+      cert.not_before = Time.now
+      cert.not_after = Time.now+(86400*1)
+      # Prepare to sign
+      ef = OpenSSL::X509::ExtensionFactory.new
+      ef.subject_certificate = cert
+      ef.issuer_certificate = SSL.certificate
+      cert.add_extension(ef.create_extension("keyUsage", "digitalSignature,keyEncipherment", true))
+      cert.sign(SSL.key, OpenSSL::Digest::SHA1.new)
+      return cert
+    end
+  end
+end

data/lib/ios-cert-enrollment/ssl.rb ADDED

@@ -0,0 +1,17 @@
+module IOSCertEnrollment
+  module SSL
+    @@key, @@certificate = nil
+    class << self
+      def key
+        return @@key if @@key
+        return @@key = OpenSSL::PKey::RSA.new(File.read(IOSCertEnrollment.ssl_key_path))
+      end
+      def certificate
+        return @@certificate if @@certificate
+        return @@certificate = OpenSSL::X509::Certificate.new(File.read(IOSCertEnrollment.ssl_certificate_path))
+      end
+    end
+  end
+end

data/lib/ios-cert-enrollment/version.rb ADDED

@@ -0,0 +1,3 @@
+module IOSCertEnrollment
+  VERSION = '0.0.2'.freeze unless defined?(::IOSCertEnrollment::VERSION)
+end

metadata ADDED

@@ -0,0 +1,130 @@
+--- !ruby/object:Gem::Specification
+name: ios-cert-enrollment
+version: !ruby/object:Gem::Version
+  hash: 27
+  prerelease:
+  segments:
+  - 0
+  - 0
+  - 2
+  version: 0.0.2
+platform: ruby
+authors:
+- Nolan Brown
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2012-05-10 00:00:00 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rake
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        hash: 3
+        segments:
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency
+  name: rdoc
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        hash: 3
+        segments:
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency
+  name: uuidtools
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        hash: 3
+        segments:
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency
+  name: plist
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        hash: 3
+        segments:
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id004
+description: Easy tools to implement a SCEP server for iOS Configuration Profiles
+email: nolanbrown@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/ios-cert-enrollment.rb
+- lib/ios-cert-enrollment/certificate.rb
+- lib/ios-cert-enrollment/configuration.rb
+- lib/ios-cert-enrollment/device.rb
+- lib/ios-cert-enrollment/profile.rb
+- lib/ios-cert-enrollment/sign.rb
+- lib/ios-cert-enrollment/ssl.rb
+- lib/ios-cert-enrollment/version.rb
+homepage: http://github.com/nolanbrown
+licenses: []
+post_install_message:
+rdoc_options:
+- --title
+- iOS Portal
+- --main
+require_paths:
+- lib
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      hash: 3
+      segments:
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      hash: 3
+      segments:
+      - 0
+      version: "0"
+requirements: []
+rubyforge_project:
+rubygems_version: 1.8.24
+signing_key:
+specification_version: 3
+summary: SCEP server for iOS Configuration Profiles
+test_files: []